Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 02 October 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.

References:

School Web site breached? Personal info of Pembroke workers, volunteers accessible for months [Patriot Ledger]

WHID 2007-35: Data lapse involved 51,000 at a hospital

Date: 25 July 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.

References:

Data lapse involved 51,000, St. Vincent says [Indy Star]

WHID 2007-34: Fox News leaks secret files

Date: 23 July 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

Fox News left non public files on a directory accessible to everyone on their web server.

References:

Foxnews File Disclosure [The Hacker Webzine]

Fox News leaks secret files [The Inquierer]

WHID 2007-23: Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget

Date: 03 June 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.

This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.

References:

Office of Nation's Top Spy Inadvertently Reveals Key to Classified National Intel Budget [The Spy Who Billed Me]

WHID 2007-27: Files From Google On the Streets

Date: 30 May 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

References:

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google. Breaking News: Files From Google On the Streets [The Hacker Webzine]

WHID 2006-38: Convenience or just bad design?

Date: 12 July 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.

References:

Convenience or just bad design? [WebAppSec]

WHID 2006-40: Data Mining MySpace Bulletins

Date: 30 June 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.

References:

Data Mining Myspace Bulletins [Full Disclosure Mailing List]

WHID 2006-2: GSA takes down eOffer after finding security flaw

Date: 13 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.

References:

GSA takes down eOffer after finding security flaw [Federal Computing]

Think Reveals Flaws in U.S. Government Security [Think Computers]

WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site

Date: 07 November 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

Zero Day Pizza Party - Yo Noid Advisory #00001 ["Full Disclosure" Mailing List]

Pizza chain caught without fully baked security [Cnet]

WHID 2005-47: SEC Vs. The Estonian Spiders

Date: 02 November 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

Business wire allowed access to non published press releases.

References:

SEC Vs. The Estonian Spiders [Web Pro News]

WHID 2005-44: Xoops web site hacked

Date: 28 October 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Other

Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.

References:

Xoops web site hacked [Vendor Web Site]

WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data

Date: 05 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, OS Commanding, SQL Injection

A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.

References:

Man charged with accessing USC student data [Security Focus]

Flawed USC admissions site allowed access to applicant data [Security Focus]

WHID 2005-15: Unprotected information on the University of Chicago web site

Date: 27 May 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

Files containing sensitive information left unprotected on the web server

References:

University of Chicago [Victim's Site]

Private records discovered on server [Chicago Maroon]

WHID 2005-10: Indian SATs results leaking

Date: 10 March 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

References:

Indian SATs results leaking [Blog talkback]

WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site

Date: 14 June 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication, Insufficient Authorization

A billing information system required only phone number and zip code to pull up account details

References:

A security tale: From vulnerability discovery to disaster [Search Security]

WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site

Date: 04 March 2004
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization

Previously moderated weather announcements could be changed by the user

References:

Pranksters bedevil TV weather announcment system [Security Focus]

WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service

Date: 02 February 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy)]

WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega

Date: 02 February 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

More Scary Tales Involving Big Holes In Web [Wallstreet Journal (Archive Copy)]

WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's

Date: 02 February 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

More Scary Tales Involving Big Holes In Web-Site Security [Wallstreet Journal (Archive Copy)]

WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks

Date: 26 January 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

References:

Biggest Web Problem Isn't About Privacy, It's Sloppy Security [Wallstreet Journal (Archive Copy)]

WHID 2003-7: Victoria's Secret reveals far too much

Date: 24 October 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization

View other customers orders by changing a sequential number within a URL parameter

References:

Victoria's Secret Reveals Too Much [CBS News]

Victoria's Secret reveals far too much [iAfrica]

WHID 2002-2: Advogato XSS virus account

Date: 21 September 2002
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location

References:

Advogato xss virus account [Bindshell]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.